External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-03-20 07:59:00 +00:00
Code

qemu: don't hold monitor and agent job when setting time

Browse Source 
We have to assume that the guest agent may be malicious so we don't want
to allow any agent queries to block any other libvirt API. By holding
a monitor job while we're querying the agent, we open ourselves up to a
DoS.

Split the function so that the portion issuing the agent command only
holds an agent job and the portion issuing the monitor command holds
only a monitor job.

Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
This commit is contained in:
Jonathon Jongsma 2019-12-05 10:08:53 -06:00 committed by Michal Privoznik
parent a663a86081
commit e005c95f56
1 changed files with 35 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
src/qemu/qemu_driver.c
View File

@ -20303,6 +20303,35 @@ qemuDomainGetTime(virDomainPtr dom,
} }
static int
qemuDomainSetTimeAgent(virQEMUDriverPtr driver,
virDomainObjPtr vm,
long long seconds,
unsigned int nseconds,
bool rtcSync)
{
qemuAgentPtr agent;
int ret = -1;
if (qemuDomainObjBeginAgentJob(driver, vm, QEMU_AGENT_JOB_MODIFY) < 0)
return -1;
if (virDomainObjCheckActive(vm) < 0)
goto endjob;
if (!qemuDomainAgentAvailable(vm, true))
goto endjob;
agent = qemuDomainObjEnterAgent(vm);
ret = qemuAgentSetTime(agent, seconds, nseconds, rtcSync);
qemuDomainObjExitAgent(vm, agent);
endjob:
qemuDomainObjEndJob(driver, vm);
return ret;
}
static int static int
qemuDomainSetTime(virDomainPtr dom, qemuDomainSetTime(virDomainPtr dom,
long long seconds, long long seconds,
@ -20312,7 +20341,6 @@ qemuDomainSetTime(virDomainPtr dom,
virQEMUDriverPtr driver = dom->conn->privateData; virQEMUDriverPtr driver = dom->conn->privateData;
qemuDomainObjPrivatePtr priv; qemuDomainObjPrivatePtr priv;
virDomainObjPtr vm; virDomainObjPtr vm;
qemuAgentPtr agent;
bool rtcSync = flags & VIR_DOMAIN_TIME_SYNC; bool rtcSync = flags & VIR_DOMAIN_TIME_SYNC;
int ret = -1; int ret = -1;
int rv; int rv;
@ -20327,14 +20355,6 @@ qemuDomainSetTime(virDomainPtr dom,
priv = vm->privateData; priv = vm->privateData;
if (qemuDomainObjBeginJobWithAgent(driver, vm,
QEMU_JOB_MODIFY,
QEMU_AGENT_JOB_MODIFY) < 0)
goto cleanup;
if (virDomainObjCheckActive(vm) < 0)
goto endjob;
/* On x86, the rtc-reset-reinjection QMP command must be called after /* On x86, the rtc-reset-reinjection QMP command must be called after
* setting the time to avoid trouble down the line. If the command is * setting the time to avoid trouble down the line. If the command is
* not available, don't set the time at all and report an error */ * not available, don't set the time at all and report an error */
@ -20344,18 +20364,14 @@ qemuDomainSetTime(virDomainPtr dom,
virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
_("cannot set time: qemu doesn't support " _("cannot set time: qemu doesn't support "
"rtc-reset-reinjection command")); "rtc-reset-reinjection command"));
goto endjob; goto cleanup;
} }
if (!qemuDomainAgentAvailable(vm, true)) if (qemuDomainSetTimeAgent(driver, vm, seconds, nseconds, rtcSync) < 0)
goto endjob; goto cleanup;
agent = qemuDomainObjEnterAgent(vm); if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_MODIFY) < 0)
rv = qemuAgentSetTime(agent, seconds, nseconds, rtcSync); goto cleanup;
qemuDomainObjExitAgent(vm, agent);
if (rv < 0)
goto endjob;
if (virDomainObjCheckActive(vm) < 0) if (virDomainObjCheckActive(vm) < 0)
goto endjob; goto endjob;
@ -20374,7 +20390,7 @@ qemuDomainSetTime(virDomainPtr dom,
ret = 0; ret = 0;
endjob: endjob:
qemuDomainObjEndJobWithAgent(driver, vm); qemuDomainObjEndJob(driver, vm);
cleanup: cleanup:
virDomainObjEndAPI(&vm); virDomainObjEndAPI(&vm);